Not sure. Multiple people keep telling me this isn't necessary but I found that if I don't use these entries then accesses from other local machines on the same network become unreliable. Adding the extra line solves that problem. > -----Original Message----- > From: Payal Rathod [mailto:payal-netfilter@xxxxxxxxxxxxxxxxx] > Sent: Tuesday, July 12, 2005 12:34 AM > To: Gary W. Smith > Cc: Netfilter ML > Subject: Re: dnatting > > On Mon, Jul 11, 2005 at 12:09:44PM -0700, Gary W. Smith wrote: > > Payal, > > > > You need to add a second simple entry: > [...] > > Thanks this solved it. Thanks again. > Now I am curious why Jason didn't suggest this. > > With warm regards, > -Payal > > > > > Look at the entries below. I'm mapping an entire IP but this would be > > simple to just to a single port. The second POSTROUTING line is what > > made everything work for my typical firewalls. > > > > # Completed on Mon Jul 11 10:58:27 2005 > > # Generated by iptables-save v1.2.11 on Mon Jul 11 10:58:27 2005 > > *nat > > :PREROUTING ACCEPT [2547:176804] > > :POSTROUTING ACCEPT [633:40896] > > :OUTPUT ACCEPT [40:4518] > > -A PREROUTING -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > > > > -A POSTROUTING -s 10.94.16.50 -o eth0 -j SNAT --to-source 81.45.25.50 > > -A POSTROUTING -s 10.94.16.50 -d 10.94.16.0/255.255.255.0 -j SNAT > > --to-source 81.45.25.50 > > > > -A POSTROUTING -o eth0 -p ! ipv6-crypt -j SNAT --to-source 81.45.25.50 > > -A OUTPUT -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > > COMMIT > > # Completed on Mon Jul 11 10:58:27 2005 > > > > > > > -----Original Message----- > > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > > > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Payal Rathod > > > Sent: Monday, July 11, 2005 8:19 AM > > > To: Netfilter ML > > > Subject: dnatting > > > > > > Hi, > > > I have a rule on my friend's broadband connection to redirect traffic > > > from outside to an internal machine like, > > > > > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > > > --to-destination 192.168.10.10:80 > > > > > > But she complained that people from inside the network cannot do > > > http://1.2.3.4 in their browser and see the site. Is she correct? > > > What is wrong with my rule because I can see the site from outside? > > > > > > Thanks in advance. > > > With warm regards, > > > -Payal > > > > > > > >
